diff --git a/config/http/captiveportal.nix b/config/http/captiveportal.nix
index 0347107..7f522b5 100644
--- a/config/http/captiveportal.nix
+++ b/config/http/captiveportal.nix
@@ -5,11 +5,6 @@ in {
     extraConfig = ''
       access_log off;
       error_log /dev/null;
-
-      add_header Content-Security-Policy "default-src 'none'";
-      add_header 'Referrer-Policy' 'same-origin';
-      add_header X-Frame-Options DENY;
-      add_header X-Content-Type-Options nosniff;
     '';
     locations."/".return = 204;
     forceSSL = false;
diff --git a/config/http/default.nix b/config/http/default.nix
index 451fe9a..178dcdf 100644
--- a/config/http/default.nix
+++ b/config/http/default.nix
@@ -21,6 +21,17 @@ in {
 
     sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
 
+    appendHttpConfig = ''
+      map $scheme $hsts_header {
+          https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security $hsts_header;
+      add_header Content-Security-Policy "default-src 'none'";
+      add_header 'Referrer-Policy' 'origin-when-cross-origin';
+      add_header X-Frame-Options DENY;
+      add_header X-Content-Type-Options nosniff;
+    '';
+
     virtualHosts.${customDomain} = {
       default = true;
       root = "/var/www/${customDomain}";